The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion. Continue Reading
On April 10, 2014, the Department of Justice (“DOJ”) and Federal Trade Commission (“FTC”) issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues. Continue Reading
The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Continue Reading
In a decision rendered on 8 April 2014, the European Court of Justice (ECJ) declared the Data Retention Directive invalid. The Court’s decision was grounded on its conclusion that, by requiring the retention of the data falling within the scope of the Directive, and by allowing the competent national authorities to access those data, the Directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data. Continue Reading
A New Jersey federal judge yesterday issued the much-anticipated opinion in Federal Trade Commission v. Wyndham Worldwide Corp., denying Wyndham’s challenge to the FTC’s authority to regulate data security under Section 5 of the FTC Act. Although it only represents one district court’s findings on the issue, and was not a complete surprise given some of the judge’s statements during oral argument, the decision means that the Commission for now maintains its status as the lead commercial data security regulator in the United States.
Commenting that she “ha[d] wrestled with arguments in the parties’ initial briefing, oral argument, supplemental briefing, as well as in several amici submissions,” Judge Esther Salas of the U.S. District Court for the District of New Jersey concluded, among other rulings: Continue Reading
The following piece, written by the Hogan Lovells privacy team, was posted to the International Association of Privacy Professionals’ (IAPP) Privacy Tracker on April 1st. The post, Is Drone Privacy Ready to Take Off?, is reprinted in its entirety below with permission from the IAPP. Continue Reading
The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the FTC alleges that the developers claimed to transmit sensitive data securely but disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks.
Both developers have agreed to not misrepresent the privacy or security of their products and services and to establish comprehensive security programs that address security risks associated with the development and management of their products and services. Those security programs will be subject to independent, biannual assessments over the next two years. In the remainder of this post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
The privacy enforcement in Hong Kong under its data protection law, the Personal Data (Privacy) Ordinance (PDPO), ramped up significantly last year. Hong Kong’s Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts. Continue Reading
On March 27, senior members of the Hogan Lovells Privacy and Cybersecurity practice will present a timely and practical webcast on how businesses can prepare for and address the risks of cybersecurity incidents in this time of high alert. Continue Reading
At the Privacy and Civil Liberties Oversight Board hearing yesterday in Washington, D.C., Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and government surveillance and provided a transnational perspective on legal regimes that regulate government access to data. From 2012 to 2013, Hogan Lovells published four White Papers (available here, here, here, and here) on government access to data in the cloud. The findings of the national security access White Paper, A Sober Look at National Security Access to Data in the Cloud, were a focal point of yesterday’s discussion. Continue Reading